MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eeeb29513e624adb88d3c2e9f89379361aa356001dc338cb6ec9034a48bdc2cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eeeb29513e624adb88d3c2e9f89379361aa356001dc338cb6ec9034a48bdc2cd
SHA3-384 hash: eddf6460950d7d6f5526408d0ce388192029323b0494263435655870fc3c7def5efdba4be10b75cc57b94a44b603862c
SHA1 hash: 6776ba15540b3ec7d8a1f244392aad0336e5e395
MD5 hash: 7f71ff578e8887674064e624769ffc69
humanhash: pizza-glucose-seven-berlin
File name:Quotation.vbs
Download: download sample
Signature njrat
Create hunting rule
File size:1'315 bytes
First seen:2021-08-08 06:08:50 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24:AP/mnvPmnoy9gy35SNihPH3bqreIqmQHhXvAN5mPT+mP1EeYI3SDKV:0GPaoy9gswCPbqrdcAN54i81EeYI3D
Threatray 90 similar samples on MalwareBazaar
TLSH T1C321D0146A8BE1359D01D6C25AED4A61F26E62AAF4744471363BC118D07E4EE35C3A8F
Reporter abuse_ch
Tags:NjRAT RAT vbs


Avatar
abuse_ch
NjRAT payload URLs:
http://transfer.sh/1himUHb/ball_bypass_llllooollllll444119990000.txt
http://transfer.sh/1Ag5gVG/defender_llllllllllllllloollll56765666.txt

Intelligence

File Origin
# of uploads :
1
# of downloads :
406
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/177216/
Detection(s):
SecuriteInfo.com.VBS.TrojanDownloader.Agent.VUE.8464.21121.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
DNS request
Connection attempt
Sending an HTTP GET request
Sending a UDP request
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/828737
Signature
Creates an undocumented autostart registry key
Obfuscated command line found
Sigma detected: Suspicious PowerShell Command Line
VBScript performs obfuscated calls to suspicious functions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eeeb29513e624adb88d3c2e9f89379361aa356001dc338cb6ec9034a48bdc2cd/
Threat name:
Script.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-08-08 06:09:04 UTC
AV detection:
2 of 46 (4.35%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=53vssuj6mjfnxcgtylu7re3zgynkgvqadxbtrs3ozebuusf5ylgq._file
Verdict:
suspicious
Similar samples:
416f3b7993ceaa6819402c66c9b2de0a4de163cd9765dd8dffe81cdbab538c48
njrat
59c0a91faf884e242be0d2384d94eba2536a8f155ae568355eed225f2543176e
njrat
66af5edcb0b90924a25f4cf764ae81eb754b58da9bde404761f48eafd1ead410
njrat
88614f9e923a5d979c64bee190f05f0932bc01f351ded417c59e1b2a92be560b
njrat
8c9d614da4ea17f4261a105adbe73992c0df1f5639310f78db244fdf3fe338fe
njrat
ac4ae7801b367cf16c0ce1a97495a2b0cf51258cf29185acac6f2d56237d237f
njrat
c3ddf55e53888193522a7b619370b746cb0a79502c5157a98754a9009f644a11
njrat
d9d27f03e2f8bc97451296da9a7ddeac39ede3240306fa198bf898434b58c53c
njrat
df047189f75d998dc499072881c762fd001360f5cf184b801cb8c232b5c567f6
njrat
f44394f10dd10600a8f25093e76fac442c594ea85debf6bfea0933766529f747
njrat
+ 80 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
suricata
Link:
https://tria.ge/reports/210808-j5r9zgahqs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Blocklisted process makes network request
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
Malware Config
Dropper Extraction:
http://transfer.sh/1himUHb/ball_bypass_llllooollllll444119990000.txt
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/eeeb29513e62/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eeeb29513e624adb88d3c2e9f89379361aa356001dc338cb6ec9034a48bdc2cd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

njrat

Visual Basic Script (vbs) vbs eeeb29513e624adb88d3c2e9f89379361aa356001dc338cb6ec9034a48bdc2cd

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/177216/

Comments